ExpressJS Session Tutorial

On a recent project - piTunes.io - I needed to design a server that could authenticate a user and identify them later through cookies. The following is a tutorial on how to use Node.js/ExpressJS with sessions to save user state.

Back-End Setup

Creating the Express App

Creating an Express app is simple and quick! Simply require Express and our middleware (after installing through NPM).

terminal
1
2
3
4
npm init
npm install express --save
npm install cookie-parser --save
npm install express-session --save
app.js
1
2
3
4
5
var express = require('express');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var app = express();

Express Sessions

When a client connects to the server, the Express-Session middleware automatically adds a session object to the request. You can add any informaton you want to remember to the session object and save it on the server-side. A cookie with an identifier token is saved on the client side.

Here we apply the middleware to the app:

app.js
1
2
3
4
5
6
7
8
9
10
//cookie parser is required for sessions to appear
app.use(cookieParser());
//session instantiation has some required arguments,
//the Session documentation is pretty clear
app.use(session({
secret: 'boo',
resave: false,
saveUninitialized: false
}));

When the client connects in the future, the server can restore the session that corrsponds to the cookie identifier.

To check authentication and enforce access restrictions, we created a custom middleware function that determines if a users cookie identifier matches a stored session on the server.

(In this example, we are using the session memory store included with Express-Session to save and load prior sessions. This memory store is deleted everytime the server stops so you will need to save to a more stable storage (i.e. database) for production code.)

app.js
1
2
3
4
5
6
7
8
9
//check for session.user, if not found then redirect user to login
function restrict(req, res, next) {
if (req.session.user) {
next();
} else {
req.session.error = 'Access denied!';
res.redirect('/login');
}
}

Putting It All Together

Here is the final code for our tutorial server. The server will remember a user who previously logged in and save them the hastle of logging in again!

app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
var express = require('express');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var app = express();
//cookie parser is required for sessions to appear
app.use(cookieParser());
//session instantiation has some required arguments,
//the Session documentation is pretty clear
app.use(session({
secret: 'boo',
resave: false,
saveUninitialized: false
}));
function restrict(req, res, next) {
//allow users with an active session as well as login page access
if (req.session.user || req.url === '/login') {
next();
} else {
req.session.error = 'Access denied!';
res.redirect('/login');
}
}
app.use(restrict);
app.post('/login', function(req, res) {
if (/*login is valid*/) {
req.session.user = {};
req.session.save();
res.redirect('/');
} else {
res.send(/*loginPageData*/)
}
});
app.get('/login', function(req, res) {
res.send(/*loginPageData*/)
});
//client will only be routed to paths below if they were authenticated
app.get('/', function(req, res) {
res.send('You are a real user if you can see this!'');
});
console.log('Listening on 8080');
app.listen(808);